
Claims 

We claim: 

1 . A method for providing access control management to electronic data, the 
method comprising: / 

establishing a secured link with a client machine when an authentication 
request is received the client machine, the authentication request 
including an identifier identifying aoiser of the client machine to access 
the electronic data, wherein the electronic data is secured in a format 
including security information and encrypted data portion, the security 
information being encrypted add controlling restrictive access to the 
encrypted data portion; / 
authenticating the user according to the identifier; and 
activating a user key after the user is authenticated, wherein the user key 
is used to decrypt the encrypted security information. 

2. The method as recited in Claim 1 further comprising maintaining an access 
control management, whdrein the access control management comprises: 

a rule manager inducing at least one set of rules for the electronic data; 
and / 

an administration interface from which an operator manages the rules for 
a designated place for the electronic data. 

3. The method as recited in Claim 2 wherein the designated place is a folder 
and all files ii/the folder are subject to the rules. 

4. The method as recited in Claim 2 wherein the designated place is a repository 
and all files in the repository are subject to the rules. 
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5. The method as recited in Claim 2 wherein the rule/manager provides a 
graphic user interface from which the rules can be created, managed or 
updated. / 



6. The method as recited in Claim 5 wherein parameters determining the rules 
from the graphic user interface are subsequently expressed in a markup 
language. 



7. The method as recited in Claim 6 wherein the parameters expressed in the 
markup language are uploaded to/the client machine after the user is 
authenticated. 



8. The method as recited in Claim 7 wherein the markup language is Extensible 
Access Control Markup Language. 



9. The method as recited in Claim 7, wherein the markup language is selected 
from a group consisting of HTML, XML and SGML. 



10. The method as recited in Claim 2, wherein the access control management 
further comprises a user manager coupled to a database including a list of 
authorized users^and respective access privileges associated with each of the 
authorized users. 



1 1.The method'as recited in Claim 10, wherein the authenticating of the user 
comprises;/ 

looking up in the database for the user; and 
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getting, from the database, access location informatioryas to where the 
user is authorized to access the electronic data if .information about the 
user is located in the database. 



12. The method as recited in Claim 1 1 , wherein the identifier further identifiers the 
client machine; and wherein the authenticating^ the user comprises 
determining, from the access location information, whether the client machine 
is permitted by the user to access the electronic data. 



13. The method as recited in Claim 1 1 , wherein the access location information 

i'~ I 

u includes locations or specific client machines from which the user is 

a I 

"4 authorized to access the electronic.data. 

ru 
! n 

J 14. The method as recited in Claim/1 , wherein the user key is in the client 

ii / 

□ machine; and wherein the activating of the user key comprises: 

ru / 

^ sending an authentication message to the client machine; and 

i'U / 

q activating the user kewwith the authentication message. 

ru 

15. The method as recitejd in Claim 14, wherein the electronic data, when 
secured, includes a/header that further includes the encrypted security 
information and a/signature signifying that the electronic data is secured. 



16. The method as recited in Claim 15, wherein the security information includes 
a set of access rules and a file key, and wherein the file key can be retrieved 
to decivpt/the encrypted data portion only if access privilege of the user is 
successfully measured by the access rules. 
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17. The method as recited in Claim 1 further comprising associating the activated 
user key with the user locally. 



18. The method as recited in Claim 17, wherein the electronic data, when 
secured, includes a header that further includes the^ncrypted security 
information and a signature signifying that the electronic data is secured; the 
encrypted security information including a set o/access rules and a file key, 
and wherein the method further comprises: 

receiving the header from the client machine; 

decrypting the security information in/the header to retrieve the access 
rules therein; and 

retrieving the file key when the access rules are measured successfully 
against access privilege of trie user. 

19. The method as recited in Claim 18 further comprising sending the file key to 
the client machine in which the encrypted data portion can be decrypted with 
the file key by a cipher mcraule executing in the client machine. 

20. A method for providijjg access control management to electronic data, the 
method comprising: 

authenticating a user attempting to access the electronic data; 

maintaining/a private key and a public key, both associated with the user, 
wherein the electronic data, when secured, includes a header and an 
encrypted data portion, the header further includes security 
information; 

encrypting the security information with the public key when the electronic 
yflata is to be written into a store; and 
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decrypting the security information with the private key wj?»eri the electronic 
data is to be accessed by an application. 



21. The method as recited in Claim 20, wherein the authentication of the user 
comprises: 

establishing a link with a client machine from which the user is attempting 

to access the electronic data; i 
demanding credential information from the user; and 
receiving the credential information from ti/e client machine over the 

secured link. 



22. The method as recited in Claim 21, wheFein the credential information 
includes a pair of username and passWord provided by the user. 



23. The method as recited in Claim 2^/wherein the credential information 
includes biometric information captured from the user by an apparatus 
coupled to the client machine., 



24. The method as recited in Claim 21, wherein the encrypting of the security 
information with the public key comprises: 

receiving access rules and a file key, wherein the file key has been used 

to produce the^encrypted data portion in the client machine; 
including the access rules and a file key into the security information; and 
encrypting the security information with the public key. 



25. The methoaas recited in Claim 24 further comprising: 

generating the header with the security information encrypted therein; and 
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uploading the header to the client machine where the heade/is integrated 
with the encrypted data portion. 

26. The method as recited in Claim 24, wherein the access 7 rules are expressed 
in a markup language. 

27. The method as recited in Claim 26, wherein theyriarkup language is one of 
Extensible Access Control Markup Language./HTML, XML and SGML. 



28. The method as recited in Claim 21 , wherein the decrypting of the security 
information with the private key comprises: 

receiving the header from the client machine over the link; 
parsing the security informatioiwom the header; and 
decrypting the security information with the private key. 



29. The method as recited in Claim 28 further comprising: 

obtaining access rules^om the security information; 
determining whethe/the access rules accommodate access privilege of 

the user; 
when the determining succeeds, 

retrieving a file key from the security information; and 

sending/the file key to the client machine over the link, 
when the/aetermining fails, 

sending an error message to the client machine over the link. 

30. The method as recited in Claim 29 wherein the error message indicate that 
the .user does not have the access privilege to access the electronic data. 
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31. A method for providing access control management to electronic data, the 
method comprising: / 

receiving a request to access the electronic data by an application; 
determining security nature of the electronic data/ 
when the security nature indicates that the electronic data is secured, the 
electronic data including a header and an^ncrypted data portion, the 
header further including security information, 

determining from the security information if the user has necessary 

access privilege to access thp encrypted data portion; and 
decrypting the encrypted data^portion only after the user is 

determined to have the necessary access privilege to access 

/ 

the encrypted data portion. 



32. The method as recited in Claim 31 further comprising retrieving a user key 

/ 

associated with a user making/he request. 



33. The method as recited in Claim 32 wherein said determining from the security 



information if the user has necessary access privilege comprises: 

decrypting the security information with the user key; 

/ 

retrieving access rules from the security information; and 



measuring the access rules against the access privilege of the user. 

I 

34. The method as recited in Claim 33 further comprising: 

retrieving a'file key from the security information if the measuring of the 

/ 

access rules against the access privilege succeeds. 
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35. The method as recited in Claim 33 further comprising: 

causing the client machine to display an error message to the user if the 
measuring of the access rules against the'access privilege fails. 



36. The method as recited in Claim 32, wherein Jhe retrieving of the user key 
comprises: 

establishing a link with a server executing an access control management; 
sending to the server an authentication request including an identifier 

identifying the user for the access control management to authenticate 

the user; 

forwarding the header to the server; and 
receiving a file key retrieved from the header. 



37. The method as recited in Clahp 36 further comprising: 

activating a cipher module; and 

/ 

decrypting the encrypte # d data portion by the cipher module with the 
received file key. 



38. The method as recited/in Claim 37 further comprising loading the decrypted 

~r 

39. The method as recited in Claim 32, wherein the retrieving of the user key 
comprises: / 

establishing/a link with a server executing an access control management; 
sending toWie server an authentication request including an identifier 

identifying the user for the access control management to authenticate 

the user; 
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receiving an authentication message after the user is authenticated; and 
activating the user key locally in the client machine. 

40. The method as recited in Claim 39, wherein the usenkey is in an illegible 
format before the activating of the user key locallyyn the client machine. 

41. A system for providing access control management to electronic data, the 
method comprising: / 

a client machine executing a document securing module that operates in a 
path through which the electronic/data is caused to pass when 
3 selected, the document securing module determining security nature of 

the electronic data, 
an access control server coupled to the client machine over a network, the 
l, Z access control server including an account manager managing all 



o 

m 



nclt 

users who access the electronic data; and 
wherein the client machine and a user thereof are caused by the 



I'U document securing module to be authenticated with the access control 

□ / 

I'U server when the^ecurity nature indicates that the electronic data is 

secured; and 

wherein access/ules in the secured electronic data are retrieved with a 



SS/TUle 

user key associated with the user. 



42. The system as recited in Claim 41 wherein the access rules are measured 
against access privilege of the user. 

43. The system as recited in Claim 42 wherein the document securing module 
activates a cipher module to decrypt an encrypted data portion in the secured 
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electronic data with a file key obtained therefrom after the document securing 
module determines that the access privilege of the user iSypermitted by the 
access rules. 



44. The system as recited in Claim 43 wherein the user key stays in the access 
control server that receives part of the secured electronic data; and wherein 
the access rules and the file key are obtained from the part of the secured 
electronic data 



45. The system as recited in Claim 44 wherein the access control server forwards 



3j 

the file key to the client machine over the network. 



46. The system as recited in Claim 43 wherein the user key stays in the client 
machine and is activated when both the client machine and the user are 
authenticated by the access control server. 



47. A system for providing acces^ control management to electronic data, the 
method comprising: 

a storage device including at least an active place designated for keeping 
the electronic data secured, the secured electronic data including 
encrypted security information that further includes at least a set of 
access rules/and a file key; 
a client machine coupled to the storage device and executing a document 
securingymodule that operates in a path through which the electronic 
data isycaused to pass from the active place when selected by an 
application; 
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an access control server coupled to the client machine over a network and 
receiving a part of the electronic data including the encrypted security 
information from the client machine, the encrypted security information 
being decrypted with a user key associated with a'user executing the 
application in the client machine to access the electronic data after 
both the user and the client machine are authenticated; 

wherein the set of access rules are measured/against access privilege of 
the user in the access control server, if successful, the file key is 

/ 

returned to the client machine to facilitate a recovery of the electronic 
data in clear mode. 



48. A software product to be executable in/a computing device for providing 
access control management to electronic data, the software product 
comprising: 

program code for establishing a secured link with a client machine when 
an authentication request is received therefrom, the authentication 
request including aiyaCntifier identifying a user from the client machine 
to access the electronic data; 
program code for authenticating the user according to the identifier; and 
program code for activating a user key after the user is authenticated. 



49. The software product as recited in Claim 48 further comprising program code 
for maintaining/an access control management, wherein the access control 
management' comprises: 

a rule manager including at least one set of rules for the electronic data; 
and 
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an administration interface from which an operator manages the rules for 
a designated place for the electronic data. 



50. The software product as recited in Claim 49 wherein the designated place is a 
folder and all files in the folder are subject to the rulers. 



/ 



51 .The software product as recited in Claim 47 wherein the designated place is a 

/ 

repository and all files in the repository are subject to the rules. 



52. The software product as recited in Claim jl wherein the rule manager 
provides a graphic user interface from which the rules can be created, 
managed or updated. 



53. The software product as recited jr/Claim 52 wherein parameters determining 
the rules from the graphic user jnterface are subsequently expressed in a 
markup language. 



54. The software product as^ecited in Claim 53 wherein the parameters 
expressed in the markup language are uploaded to the client machine after 



ticatinq of tn6 



the authenticating ^crfthe user succeeds. 

55. The software product as recited in Claim 54 wherein the markup language is 
Extensible Access Control Markup Language. 

56. The software product as recited in Claim 54, wherein the markup language is 
selected^rom a group consisting of HTML, XML and SGML. 
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57. The software product as recited in Claim 49, wherein the access control 
management further comprises a user manager coupled^o a database 
including a list of authorized users and respective access privileges 
associated with each of the authorized users. 



58. The software product as recited in Claim 57, wherein the program code for 
authenticating the user comprises: 

program code for looking up in the database for the user; and 
program code forgetting, from the database, access location information 
as to where the user is authorized to access the electronic data if the 
user is located in the database. 



59. The software product as recited in^Claim 58, wherein the identifier further 

identifiers the client machine; and wherein the program code for 

/ 

authenticating the user comprises program code for determining, from the 
access location informationy/vhether the client machine is permitted by the 
user to access the electronic data. 



60. The software product as recited in Claim 58, wherein the access location 
information includes/locations or specific client machines from which the user 
is authorized to access the electronic data. 



61 .The software product as recited in Claim 48, wherein the user key is in the 
client machine; and wherein the program code for activating the user key 
comprises/ 

program code for sending an authentication message to the client 
Machine; and 
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program code for activating the user key with the authentication message. 

62. The software product as recited in Claim 61, wherein the/electronic data, 
when secured, includes a header and an encrypted daja portion; and wherein 
the header includes security information that can beyaccessed with the 
activated user key. 

63. The software product as recited in Claim 62, Wherein the security information 

includes a set of access rules and a file keyf and wherein the file key can be 

retrieved to decrypt the encrypted data portion only if access privilege of the 

/ 

user is successfully measured by the access rules. 



Q 
[4 

j;fj 64. The software product as recited inSlaim 48 further comprising program code 
!i p for associating the activated user/key with the user locally. 

□ 

I'U 65. The software product as recited in Claim 64, wherein the electronic data, 

I'D when secured, includes a header and an encrypted data portion, the header 

□ / 

FU includes security information and a file key; and wherein the software product 

further comprises: 

program code for receiving the header from the client machine; 
program code/for decrypting the header to retrieve access rules in the 

security information; and 
program code for retrieving the file key when the access rules are 
measured successfully against access privilege of the user. 
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66. The software product as recited in Claim 65 further comprising spending the 
file key to the client machine in which the encrypted data portion can be 
decrypted with the file key by a cipher module executing in the client machine. 



67. A software product to be executable in a computing device for providing 
access control management to electronic data, the software product 
comprising: 

program code for authenticating a user attempting to access the electronic 
data; 

program code for maintaining a private,key and a public key, both 
associated with the user, wherein/the electronic data, when secured, 
includes a header and an encrypted data portion, the header further 
includes security information/ 

/ 

program code for encrypting the security information with the public key 

when the electronic data/is to be written into a store; and 
program code for decrypting the security information with the private key 



data is to 



when the electronic data is to be accessed by an application. 



68. The software product ^as recited in Claim 67, wherein the program code for 
authenticating the user comprises: 

program code for establishing a link with a client machine from which the 

user is attempting to access the electronic data; 
program ccrae for demanding credential information from the user; and 
program/code for receiving the credential information from the client 
machine over the secured link. 
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69. The software product as recited in Claim 68, wherein the credential 

information includes a pair of username and password provided by the user. 



70. The software product as recited in Claim 68, wherein the'credential 

/ 

information includes biometric information captured from the user by an 



apparatus coupled to the client machine. 



71 .The software product as recited in Claim 68, wherein the program code for 
encrypting the security information with the public key comprises: 

program code for receiving access rules and a file key from the client 
machine over the link, wherein the file key has been used to produce 
the encrypted data portion in the client machine; 
program code for including the access rules and a file key into the security 
information; and 

program code for encrypting the'security information with the public key. 
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72. The software product as recited in Claim 71 further comprising 



program code for generating the header with the security information 

encrypted therein; and 
program code for uploading the header to the client machine where the 
header is integrated with the encrypted data portion. 



73. The software product as recited in Claim 74, wherein the access rules are 
expressed in a markup language. 

74. The software product as recited in Claim 73, wherein the markup language is 
one of Extensible Access Control Markup Language, HTML, XML and SGML. 
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75. The software product as recited in Claim 68, wherein the program code for 
decrypting the security information with the private key comprises: 

program code for receiving the header from the client/nachine over the 
link; 

program code for parsing the security informationyfrom the header; and 
program code for decrypting the security information with the private key. 

76. The software product as recited in Claim 75 further comprising: 

program code for obtaining access rules^ffom the security information; 
program code for determining whether Jhe access rules accommodate 

access privilege of the user; 
when the determining program code 7 is executed successfully, 
program code for retrieving a file/rom the security information; and 
program code for sending the file key to the client machine over the link, 
when the determining program code is executed unsuccessfully, 
program code for sending^n error message to the client machine over the 

link. 

77. The software product ai recited in Claim 76 wherein the error message 
indicate that the use/does not have the access privilege to access the 
electronic data. / 

78. A software product to be executable in a computing device for providing 
access control management to electronic data, the software product 
comprising: 
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program code for receiving a request to access the electronic^ta by an 

application; / 
program code for determining security nature of the electronic data; 
when the security nature indicates that the electronic^data is secured, 
wherein the electronic data including a header and an encrypted data 
portion, the header further including security ^formation, 

program code for determining from the^ecurity information if the 
user has necessary access privilege to access the encrypted 
data portion; and 
program code for decrypting the encrypted data portion only after 
the determining from the security information succeeds. 



79. The software product as recited in Claim 78 further comprising program code 
for retrieving a user key associated with a user making the request. 



80. The software product as recited^in Claim 79 wherein the program code for 
determining from the security information, if the user has necessary access 
privilege, comprises: 

program code for decrypting the security information with the user key; 
program code for retrieving access rules from the security information; and 
program code for measuring the access rules against the access privilege 
of the user. 



81. The software product as recited in Claim 80 further comprising: 

program code for retrieving a file key from the security information if the 
measuring of the access rules against the access privilege succeeds. 
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82. The software product as recited in Claim 80 further comprising: 

program code for causing the client machine to display an error message 
to the user if the measuring of the access rules against the access 
privilege fails. 



83. The software product as recited in Claim 80, wherein the program code for 
retrieving the user key comprises: / 

program code for establishing a link with a server executing an access 

control management; / 
program code for sending to the server an authentication request including 

an identifier identifying the user for the access control management to 

authenticate the user; j 
program code for forwarding/the header to the server; and 
program code for receiving^ file key retrieved from the header. 

84. The software product asserted in Claim 83 further comprising: 

program code for activating a cipher module; and 
program code for decrypting the encrypted data portion by the cipher 
module with the received file key. 

85. The software product as recited in Claim 84 further comprising program code 
for loading the/decrypted data portion into the application. 

86. The software product as recited in Claim 79, wherein the program code for 
retrieving the user key comprises: 

pro/ram code for establishing a link with a server executing an access 
/control management; 
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program code for sending to the server an authentication request including 
an identifier identifying the user for the access/X)ntrol management to 
authenticate the user; 

program code for receiving an authenticatiqH message after the user is 
authenticated; and 

program code for activating the user k£y locally in the client machine. 



87. The software product as recited irySlaim 86, wherein the user key is in an 
illegible format before the activating of the user key locally in the client 
machine. 



H 88. The software product as recited in Claim 86, wherein the computing device is 

^ / 

:;p a media player having a network capacity, the media player generating audio 

I U / 

and/or video fron/the electronic data when the software product is executed 
in the media Dlayer. 
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